fix: guard computeOffset against negative results before address arithmetic

computeOffset() returns int64_t but most callers added the result directly to baseAddress (uint64_t) without checking for negative values. A malformed tree with negative cumulative offsets would produce wrapped addresses, potentially reading/writing arbitrary memory in the bitfield toggle and edit paths. Added sign checks at all 9 unguarded call sites.
2026-05-10 19:59:21 +00:00 · 2026-03-14 17:31:13 -06:00
parent 7528d1bbbb
commit 89d6e1944b
2 changed files with 21 additions and 7 deletions
--- a/src/main.cpp
+++ b/src/main.cpp
@@ -4713,6 +4713,7 @@ void MainWindow::createScannerDock() {
            for (int i = 0; i < tree.nodes.size(); i++) {
                const auto& n = tree.nodes[i];
                int64_t off = tree.computeOffset(i);
+                if (off < 0) continue;
                int sz = (n.kind == rcx::NodeKind::Struct || n.kind == rcx::NodeKind::Array)
                    ? tree.structSpan(n.id) : n.byteSize();
                int64_t end = off + sz;